01-29-2009 10:35 PM - edited 03-11-2019 07:43 AM
I came across this syslog message while troubleshooting an access issue and real-time log viewing. This syslog message looks serious, but how and what do you do?
Syslog ASA-2-106017 : Deny IP due to Land Attack from IP_address to IP_address.
The land attack lists the IP addresses to be my outside global address. That is the address I use for internet traffic!
Not sure how to treat this issue?
Thanks,
01-30-2009 12:58 AM
This message appears when you have enabled Unicast RPF.
Even though an attack is in progress, if this feature is enabled, no
user action is required. The Cisco ASA repels the attack.
Syed
01-30-2009 07:04 AM
Hi Syed,
I did not enable Unicast RPF.
Is this feature enabled by default?
How does the ASA repel the attack?
Any recommended reading about this on Cisco?
Thanks,
Suhail
01-30-2009 06:51 PM
I have the same issue on my ASA just source and destination IP are 0.0.0.0 0.0.0.0
I posted this issue here and got reply from someone with the following explenation:
"Somebody has released a program, known as land.c, which can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination."
You can read about land.c on Cisco web:
http://www.cisco.com/en/US/products/products_security_advisory09186a00800b1693.shtml">http://www.cisco.com/en/US/products/products_security_advisory09186a00800b1693.shtml
02-09-2009 12:01 PM
...i checked the advisory, and it is 12 years old.....that is way too old....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide